Tuesday, August 23, 2005

To skype or not to skype

While I do like the userfriendliness and extreme ease of use of skype, it has a few big problems, that by them self probably had made me avoid skype, and combined even made me motivated enough to write this.

Skype uses a proprietary protocol. The information about how the clients communicate (with login server/other clients/supernodes) is not publicly available. This means that it is not possible to create third part clients without a blessing from Skype Technologies S.A [or what ever they are called, some Evil Corporation at least :) ], if they do it at all. The official client of course isn't open source, so you cant derive the protocol from that in an easy way. The client being closed source also makes the need of writing third part clients even larger. But even more important, there is no way to do a security analysis of the protocol! I don't really care if the protocol is secure or not, but I want to know how secure it is so I know when I should and when I shouldn't use it. All protocols that claims to be secure should be open for public scrutinizing. The skype protocol claims to use RSA to negotiate AES-keys, but without information about the implementation it impossible to say anything about the security.

The skype network is assembled in an ad hoc way. You don't know how your call is routed. Your call may be routed though nodes that are completely out of your control, you cant sign an agreement about a good service level with them. Other users calls may be routed through you, degrading your performance. The end-to-end nature of skype is totally in line with the internet philosophy with the network being dumb, but this is spoiled by having traffic routed through other nodes.